IT Panel Blog: Losing your client's documents

20 April 2017

It's a bad hair day. You have left your court papers on the
train. You open your laptop to find them electronically, hoping to
find a friendly print shop to print them out. You open a seemingly
innocuous email and lo and behold a virus infects all your computer
hard drive including your client's data. You cannot access it.
Client confidentiality blown to pieces.

What should you do if you lose papers or end up compromising a
client's rights to secure data?

Remember your overriding obligations.

These are:

(a) Barristers are required to protect the confidentiality
of a client's affairs (BSB Handbook CD6, rC15.5). Therefore, try to
avoid leaving files or computers on trains or in taxis.

(b) In respect of client affairs held on your computer,
you (not chambers) have to comply with the Data Protection Act
1998(DPA) Principles for processing client data (
here).

(c) You should be aware of Principle 7 in
particular. You have to take appropriate technical and
organisational measures against the loss or damage to clients'
personal data. Each barrister owns his or her computer and is
considered thecontroller of the data on it; chambers merely
processes your data and is not generally responsible for it
ascontroller.You should treat clients' data as securely as you
would a significant sum of your own money. Using passwords to get
into your computer and encryption of your data on the device
generally will provide some protection.

(d) That said, chambers must inform its
barristers if there has been a security breach and data held
and processed by it on behalf of its members has been
disclosed.

Reporting data losses

You need to note that:

(a) There is currently no general duty to report the loss
of electronically processed data to the Information Commissioner's
Office (ICO). However, the ICO expects to be told of serious cases
of loss. It has powers to fine up to £500,000 for serious breaches
(increasing to 20 million Euros from May 2018). You will have read
about some of these in the newspapers. A recent case concerned HCA,
the health company, which was fined £200,000 for breach of the
Principle 7 - you can read it here.

(b) You should seriously consider whether to report losses
to your client, where relevant, opposing parties, the BSB and the
ICO. Such action will mitigate any penalty which you might incur.
Also consider informing the police and insurance companies (e.g.
BMIF) and chambers.

(c) Things will change in May 2018 when the General
Data Protection Regulation (GDPR) comes into force. Significant
breaches of data security have to be reported to the ICO no later
than 72 hours after the breach has occurred - see Article 33. The
affected client (or former client, opposing party etc.) should also
be informed where major breaches have occurred - see Article
34.

(d) You may have to report yourself (or indeed another
barrister) under BSB rules C65.7 or rC66.

(e) Check whether your chambers' has an Incident Response
Plan (IRP). If it does not it may be best to create one so that
should the worst happen, everyone can refer to the plan and take
appropriate actions with minimum delay. The Annex to our general
guidance on this subject sets out a draft IRP. We discuss this in
more detail in the General Guidance itself (see paras 12
onwards).

Prevention

Prevention is always better than cure. Consider the
following:

(a) Be aware of what data you are holding and where and
how it is stored;

(b) Delete/remove to secure storage case files that are no
longer current (the 5th Principle requires this
anyway);